Chapter 25. Deprecated Functionality

This chapter provides an overview of functionality that has been deprecated, or in some cases removed, in all minor releases up to Red Hat Enterprise Linux 6.9.

Deprecated functionality continues to be supported until the end of life of Red Hat Enterprise Linux 6. Deprecated functionality will likely not be supported in future major releases of this product and is not recommended for new deployments. For the most recent list of deprecated functionality within a particular major release, refer to the latest version of release documentation.

Deprecated hardware components are not recommended for new deployments on the current or future major releases. Hardware driver updates are limited to security and critical fixes only. Red Hat recommends replacing this hardware as soon as reasonably feasible.

A package can be deprecated and not recommended for further use. Under certain circumstances, a package can be removed from a product.Product documentation then identifies more recent packages that offer functionality similar, identical, or more advanced to the one deprecated, and provides further recommendations.

Deprecated Insecure Algorithms and Protocols

Algorithms that provide cryptographic hashes and encryption as well as cryptographic protocols have a lifetime after which they are considered either too risky to use or plain insecure. See the Deprecation of Insecure Algorithms and Protocols in RHEL 6.9 article on the Red Hat Customer Portal for more information.

MD5, MD4, and SHA0 can no longer be used as signing algorithms in OpenSSL

With this update, support for verification of MD5, MD4, and SHA0 signatures in certificates, Certificate Revocation Lists (CRL) and message signatures are removed.

The system administrator can enable MD5, MD4, or SHA0 support by modifying the LegacySigningMDs option in the etc/pki/tls/legacy-settings policy configuration file, for example:

echo 'LegacySigningMDs algorithm' >> /etc/pki/tls/legacy-settings

To add more than one legacy algorithm, use a comma or any whitespace character except a new line. See the README.legacy-settings in the OpenSSL package for more information.

You can also enable MD5 verification by setting the OPENSSL_ENABLE_MD5_VERIFY environment variable.

This change prevents OpenSSL clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that allowed clients using OpenSSL are not vulnerable to attacks such as the LOGJAM attack.

The system administrator can enable shorter DH parameter support by modifying the MinimumDHBits option in the /etc/pki/tls/legacy-settings, for example:

echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settings

This option can also be used to raise the minimum if required by the system administrator.

EXPORT cipher suites in OpenSSL are deprecated

This change removes support for EXPORT cipher suites in the OpenSSL toolkit. Disabling these weak cipher suites prevents attacks such as the FREAK attack. EXPORT cipher suites are not required in any TLS protocol configuration.

This change prevents GNU Transport Layer Security (GnuTLS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that allowed clients using GnuTLS are not vulnerable to attacks such as the LOGJAM attack.

The system administrator can enable shorter DH parameter support by modifying the MinimumDHBits option in the /etc/pki/tls/legacy-settings, for example:

echo 'MinimumDHBits 768' > /etc/pki/tls/legacy-settings

This option can also be used to raise the minimum if required by the system administrator.

EXPORT cipher suites in GnuTLS are deprecated

This change removes support for EXPORT cipher suites in the GNU Transport Layer Security (GnuTLS) library. Disabling these weak cipher suites prevents attacks such as the FREAK attack. EXPORT cipher suites are not required in any TLS protocol configuration.

The GnuTLS EXPORT cipher suite priority string remains, but as an alias for the NORMAL priority string.

MD5 can no longer be used as a signing algorithm in NSS

This change prevents the Network Security Services (NSS) library from using MD5 as the signing algorithm in TLS. This change ensures that programs using NSS are not vulnerable to attacks such as the SLOTH attack.

The system administrator can enable MD5 support by modifying the /etc/pki/nss-legacy/nss-rhel6.config policy configuration file to:

library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="allow=MD5"

Note that an empty line is required at the end of the file.

NSS clients using TLS no longer allow connections to servers with DH shorter than 1024 bits

This change prevents Network Security Services (NSS) clients from connecting to servers with Diffie-Hellman (DH) parameters shorter than 1024 bits. This ensures that allowed clients using NSS are not vulnerable to attacks such as the LOGJAM attack.

The system administrator can enable shorter DH parameter support by modifying the /etc/pki/nss-legacy/nss-rhel6.config policy configuration file to:

This change removes support for EXPORT cipher suites in the Network Security Services (NSS) library. Disabling these weak cipher suites prevents attacks such as the FREAK attack. EXPORT cipher suites are not required in any TLS protocol configuration.

Deprecated algorithms in OpenSSH: RC4, hmac-md5, and hmac-md5-96

With this update, the arcfour256, arcfour128, arcfour ciphers and the hmac-md5, hmac-md5-96 Message Authentication Code (MAC) algorithms are deprecated. Note that this change does not affect any existing server configuration.

The system administrator can enable these deprecated algorithms by editing the ssh_config file, for example:

Host legacy-system.example.com
Ciphers arcfour
MACs hmac-md5

To completely restore all the deprecated algorithms, add the following snippet to the /etc/ssh/ssh_config file:

The functions implementing cryptographic back-end replacement are considered obsolete and act as no-operation functions now. The following functions exported in the gnutls/crypto.h file are affected:

gnutls_crypto_single_cipher_register2

gnutls_crypto_single_mac_register2

gnutls_crypto_single_digest_register2

gnutls_crypto_cipher_register2

gnutls_crypto_mac_register2

gnutls_crypto_digest_register2

gnutls_crypto_rnd_register2

gnutls_crypto_pk_register2

gnutls_crypto_bigint_register2

Deprecated Drivers

Deprecated device drivers

3w-9xxx

3w-sas

3w-xxxx

aic7xxx

i2o

ips

megaraid_mbox

mptbase

mptctl

mptfc

mptlan

mptsas

mptscsih

mptspi

sym53c8xx

qla3xxx

The following controllers from the megaraid_sas driver have been deprecated:

Dell PERC5, PCI ID 0x15

SAS1078R, PCI ID 0x60

SAS1078DE, PCI ID 0x7C

SAS1064R, PCI ID 0x411

VERDE_ZCR, PCI ID 0x413

SAS1078GEN2, PCI ID 0x78

The following controllers from the be2iscsi driver have been deprecated:

BE_DEVICE_ID1, PCI ID 0x212

OC_DEVICE_ID1, PCI ID 0x702

OC_DEVICE_ID2, PCI ID 0x703

Note that other controllers from the mentioned drivers that are not listed here remain unchanged.

Other Deprecated Components

cluster, luci components

The fence_sanlock agent and checkquorum.wdmd, introduced in Red Hat Enterprise Linux 6.4 as a Technology Preview and providing mechanisms to trigger the recovery of a node using a hardware watchdog device, are considered deprecated.

openswan component

The openswan packages have been deprecated, and libreswan packages have been introduced as a direct replacement for openswan to provide the VPN endpoint solution. openswan is replaced by libreswan during the system upgrade.

seabios component

Native KVM support for the S3 (suspend to RAM) and S4 (suspend to disk) power management states has been discontinued. This feature was previously available as a Technology Preview.

The zerombr yes Kickstart command is deprecated

In some earlier versions of Red Hat Enterprise Linux, the zerombr yes command was used to initialize any invalid partition tables during a Kickstart installation. This was inconsistent with the rest of the Kickstart commands due to requiring two words while all other commands require one. Starting with Red Hat Enterprise Linux 6.7, specifying only zerombr in your Kickstart file is sufficient, and the old two-word form is deprecated.

Btrfs file system

B-tree file system (Btrfs) is considered deprecated for Red Hat Enterprise Linux 6. Btrfs was previously provided as a Technology Preview, available on AMD64 and Intel 64 architectures.

eCryptfs file system

eCryptfs file system, which was previously available as a Technology Preview, is considered deprecated for Red Hat Enterprise Linux 6.

mingw component

Following the deprecation of Matahari packages in Red Hat Enterprise Linux 6.3, at which time the mingw packages were noted as deprecated, and the subsequent removal of Matahari packages from Red Hat Enterprise Linux 6.4, the mingw packages were removed from Red Hat Enterprise Linux 6.6 and later.

The mingw packages are no longer shipped in Red Hat Enterprise Linux 6 minor releases, nor will they receive security-related updates. Consequently, users are advised to uninstall any earlier releases of the mingw packages from their Red Hat Enterprise Linux 6 systems.

Prior to Red Hat Enterprise Linux 6.5 release, the Red Hat Enterprise Linux High Availability Add-On was considered fully supported on certain VMware ESXi/vCenter versions in combination with the fence_scsi fence agent. Due to limitations in these VMware platforms in the area of SCSI-3 persistent reservations, the fence_scsi fencing agent is no longer supported on any version of the Red Hat Enterprise Linux High Availability Add-On in VMware virtual machines, except when using iSCSI-based storage. See the Virtualization Support Matrix for High Availability for full details on supported combinations: https://access.redhat.com/site/articles/29440.

Users using fence_scsi on an affected combination can contact Red Hat Global Support Services for assistance in evaluating alternative configurations or for additional information.

The Matahari agent framework (matahari-*) packages have been removed from Red Hat Enterprise Linux 6. Focus for remote systems management has shifted towards the use of the CIM infrastructure. This infrastructure relies on an already existing standard which provides a greater degree of interoperability for all users.

distribution component

The following packages have been deprecated and are subjected to removal in a future release of Red Hat Enterprise Linux 6. These packages will not be updated in the Red Hat Enterprise Linux 6 repositories and customers who do not use the MRG-Messaging product are advised to uninstall them from their system.

python-qmf

python-qpid

qpid-cpp

qpid-qmf

qpid-tests

qpid-tools

ruby-qpid

saslwrapper

Red Hat MRG-Messaging customers will continue to receive updated functionality as part of their regular updates to the product.

Where did the comment section go?

Red Hat's documentation publication system recently went through an upgrade to enable speedier, more mobile-friendly content. We decided to re-evaluate our commenting platform to ensure that it meets your expectations and serves as an optimal feedback mechanism. During this redesign, we invite your input on providing feedback on Red Hat documentation via the discussion platform.